|
|
|
Reflection for Secure IT and Support for Solaris Zones
Technical Note 2254
Last Reviewed 01-Feb-2008
Applies To
Reflection for Secure IT UNIX Client version 6.1 or higher
Reflection for Secure IT UNIX Server version 6.1 or higher
Sun Solaris version 10
Summary
Technical Note 2254
Last Reviewed 01-Feb-2008
Applies To
Reflection for Secure IT UNIX Client version 6.1 or higher
Reflection for Secure IT UNIX Server version 6.1 or higher
Sun Solaris version 10
Summary
This technical note describes how Reflection for Secure IT works in the Solaris 10 zones feature, specifically focusing on the effects of the -G switch and on the global zone and two non-global zones: sparse root and whole root.
Reflection for Secure IT Installation Factors in a Zone Environment
Zones are a feature in Solaris 10 that allow a single Solaris instance to be partitioned into isolated application environments.
This technical note describes factors that can influence how a Reflection for Secure IT package behaves when installed in a zone environment:
- The Reflection for Secure IT product version.
- If the -G command line switch is used with the Solaris pkgadd tool to install Reflection for Secure IT (version 6.1.x).
- The type of zone (global, sparse root, or whole root) configured when pkgadd is used.
Values for the following variables vary, depending on the version:
| Variable |
6.1.x |
7.0 |
| SUNW_PKG_ALLZONES |
False |
True |
| SUNW_PKG_HOLLOW |
False |
False |
| SUNW_PKG_THISZONE |
False |
False |
Note: In version 6.1.x, the above variables are not explicitly set, so they are not visible in the pkginfo file. The values are visible in the 7.0 pkginfo file.
Global Zone
If only global zones are used, then Reflection for Secure IT 6.1 or higher will perform as it has in earlier Solaris versions that did not support zones.
Sparse Root Zone
If you are installing Reflection for Secure IT 6.1 or higher in a Solaris 10 environment for the first time, you cannot install Reflection into a sparse root zone. The default configuration for a sparse root configuration is to mount /usr, /lib, /platform, and /sbin read-only from the global zone, so Reflection will not install in a sparse root zone.
If you have replaced the Solaris default ssh in the global zone with Reflection for Secure IT 6.1 or higher, and then you create a new sparse root zone, Reflection for Secure IT behaves as a standalone in the new sparse root zone with a separate /etc/ssh2 directory that contains the configuration files. So, while the binary files in the global zone are read-only, the config files in the /etc/ssh2 directory are read/write.
Whole Root Zone
Reflection for Secure IT 7.0 cannot be installed in a whole root zone. Reflection 7.0 must be installed in the global zone for any current or future whole root zones to inherit Reflection.
Reflection for Secure IT 6.1.x can be installed and works in a whole root zone. By definition a whole root configuration is a non-global zone that does not inherit any directories from the global zone. Thus you have a more complete Solaris zone where /usr, /lib, /platform, and /sbin have write access.
Installing 6.1.x with the –G Switch
If Reflection for Secure IT 6.1.x has been installed in the global zone with the -G switch, it will not be added to the whole root zone when it is created. Reflection 6.1.x versions can be installed in the whole root zone, and will operate independently of an installation in the global zone. Each installation is unique and independent with separate host keys and daemons that can be started and stopped without affecting the other installation.
Installing 6.1.x without the –G Switch
If Reflection for Secure IT 6.1.x has been installed in the global zone without the -G switch then Reflection will be added to the whole root zone upon creation. While the two Reflection installations are unique and not dependent upon each other, removing Reflection from the global zone also removes it from the whole root zone. Removing Reflection from the whole root zone does not affect the global zone.
